Overview

overview

10

Static

static

0b96754a84...32.exe

windows7_x64

10

0b96754a84...32.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b96754a84bc2c01e4e8d64a534c03b5636fb6e958f7c381f9c27e646466cd32.exe

  • Size

    348KB

  • MD5

    272220cefcb1b929e0fe0bb6da3557ca

  • SHA1

    d302ddbad294b31e3d92bd1ea1eb7bd64d142a1f

  • SHA256

    0b96754a84bc2c01e4e8d64a534c03b5636fb6e958f7c381f9c27e646466cd32

  • SHA512

    5574e8a7dc7dfb07650c613aab678cfd93ef48b3674779f22bed321ab266f0c4b0b6b31f8eb907a6836f7c7677e1c4739ccefa1214c9e7d6cfe52fbb213f7288

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

70.48.238.90:80

82.223.70.24:8080

190.160.53.126:80

113.61.66.94:80

180.222.165.169:80

59.148.227.190:80

189.154.128.205:80

46.105.131.87:80

110.145.77.103:80

211.63.71.72:8080

98.156.206.153:80

209.151.248.242:8080

91.205.215.66:443

136.243.205.112:7080

104.32.141.43:80

115.65.111.148:443

212.174.19.87:80

168.235.67.138:7080

200.123.150.89:443

5.196.74.210:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b96754a84bc2c01e4e8d64a534c03b5636fb6e958f7c381f9c27e646466cd32.exe
    "C:\Users\Admin\AppData\Local\Temp\0b96754a84bc2c01e4e8d64a534c03b5636fb6e958f7c381f9c27e646466cd32.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\mciqtz32\mciqtz32.exe
      "C:\Windows\SysWOW64\mciqtz32\mciqtz32.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2329389628-4064185017-3901522362-1000\0f5007522459c86e95ffcc62f32308f1_3bd845b8-ce6a-4337-9974-31490196462a
    MD5

    f9e6dc11aa4143278cda477bb6532106

    SHA1

    5505bf0b329f4ac4228d824e2ba34fcf9d308ca8

    SHA256

    0cfb03e92f2c4939edd36091676c8901b3e82d95cbb284eb3aa15e45ccb267cb

    SHA512

    f720f4cce77993f8933102d245ea6a2857250fedc62832262921c6394c9a52da97fb2997445b426bdfae788ef01b70299d3e199d2bb5bca9e9b2194b9f70eee6

    Download Submit
  • memory/1196-54-0x0000000074B21000-0x0000000074B23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1196-55-0x00000000003E0000-0x00000000003E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1196-56-0x00000000004A0000-0x00000000004AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1196-58-0x00000000003D0000-0x00000000003DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1932-61-0x0000000000270000-0x000000000027C000-memory.dmp
    Filesize

    48KB

    Download